From: firstname.lastname@example.orgAttached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:
Date: 15 August 2016 at 10:37
Subject: Order Confirmation-7069-2714739-20160815-292650
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.
ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof.
The payload is Locky ransomware with a very low detection rate at present. It phones home to:
184.108.40.206/php/upload.php (MWTV, Latvia)
220.127.116.11/php/upload.php (Hetzner, Germany)
18.104.22.168/php/upload.php (Infium UAB, Ukraine)
The MWTV block is all bad. Recommended blocklist: